Here's the rule from the error: <group name="syslog,access_control,"> <rule id="2501" level="0"> <match> esm</match> <group>authentication_failed,</group> <description>User authentication failure.</description> </rule> </group>
If I comment it out, it just says the next rule is a duplicate, and so on and so on. None are overwrite rules. On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: > > > > On Wed, Apr 4, 2018, 8:56 PM Cooper <coope...@gmail.com <javascript:>> > wrote: > >> Sorry Dan, I'm horribly new to managing ossec (yesterday). How would I >> know that? >> > > Look for 'overwrite="yes"' in the rule. > > > >> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: >>> >>> >>> >>> On Wed, Apr 4, 2018, 8:50 PM Cooper <coope...@gmail.com> wrote: >>> >>>> When trying to start our new 2.9.3 ossec server, i receive the >>>> following error: >>>> >>>> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 >>>> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the >>>> rules: 'local_rules.xml'. >>>> >>>> However, inside local_rules, there's only one rule with an ID of 2501. >>>> If I comment out that rule, it just says that the next rule is a >>>> duplicate. These rules are being migrated from a working 2.7.2 install. >>>> Anyone run into this before? >>>> >>> >>> >>> Are these overwrite rules? >>> >>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.